We have decided to make another blog post around this topic as we receive a lot of questions daily around Pentesting Certifications from students, college grads and other IT consultants. Now if you want to offer Penetration Testing services, which certifications should I possess?

The answer is tricky. There is no international standard like with vendor certifications from Cisco, Juniper and the likes. The main question is, where do you want to conduct Pentests / where are your customers?

United States

The EC Council and the relevant certifications Certified Ethical Hacker (CEH) and Licensed Penetration Tester (LPT) are usually required for US engagements. We have also seen that companies recognise the value of the Offensive Security Certifications (OSCP, OSWP etc.) because those certs really show practical skills and the exams are 100% hands on. Mile 2, GIAC/GPEN are also gaining momentum in the US. As the US typically sets the benchmark for IT innovation and certification, those exams are a good starting point for Pentesters. As for exam fees, the CEH is around $500 USD for the exam, Offsec around $1200 for the training, lab access and the exam.

Rest of the world (Latin America, Africa, Asia, Oceania and Europe (except the UK)

The certifications which are typically asked for anywhere else in the world are the CEH and LPT from EC Council. Offensive Security also gets more and more attention outside North America.


Unfortunately they run their own country specific certification program called CREST. The content is very much alike the one from the EC Council but it’s a UK certification only. The problem with CREST is that a lot of the UK businesses require that certification for a Pentest engagement, whilst it’s completely unknown and unrecognised anywhere else in the world except for Australia. So if you are a Pentester in the UK, you have to get CREST certs for UK work and the other international ones in case you want to do engagements in mainland Europe, North America or elsewhere. We recently wanted to engage a highly skilled CREST certified contractor from the UK for a US client with offices in Europe, but the customer did not accept CREST, so we had to swap consultants on this engagement. Also the pricing is very expensive ranging from around $600 USD to $2500 USD per single exam.


It’s not as straight forward as with vendor certifications or internationally accepted certs like the CISSP. Like with all certifications, nothing beats real world experience but you need to have some certifications under the belt to give customers and employers a comfort blanket. Personally we think that the Offensive Security Certifications are the best ones in the field, as they are really touch hands-on exams rather than multiple choice questions.


Penetration Testing Certifications

Author: Martin Voelk
November 27, 2014

We often get asked, what are the benchmark Penetration Testing Certifications which are either government or IT industry accredited?

Here is our take on it:


Widely respected and known. They offer the Certified Ethical Hacker (C|EH), Licensed Penetration Tester (L|PT) amongst other IT Security and Forensic certifications. They hold a good reputation throughout the US and other countries


The offer an associate and a professional Pentesting Certification. Those have been recognised by the NSA/CNSS as well. Still widely unknown outside North America, but certainly interesting to keep an eye on.

Offensive Security

In our opinion the best training and the best exams. Rather than multiple choice questions like in exams with Mile2 and EC-Council, you actually have to Pentest/Hack in your exam, so you really need to show skills to pass.

Other certifications help, such as the CISSP, Cisco CCIE Security, Cisco CCNP Security and the likes, but those are more vendor and general technology geared, whereas those 3 above are focused around Penetration Testing.

The UK has its own certification program called CREST and CHECK and UK customers often decline companies which “only” have the US Certifications. Oh well, they need their own program just like they drive on the wrong side of the road, too :-)